Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #36

May 06, 2008

A few months ago I mentioned two new penetration testing courses -- one for testing networks and systems and one for testing applications. The student feedback is now flowing in, and they are the highest rated courses we have ever run. But more importantly, they are changing the face of penetration testing because the students are learning techniques that have previously been kept secret by the most advanced testers. For Network/System penetration testing: see courses at http://www.sans.org/pentesting08_summit/ For Web Application testing: see courses at http://www.sans.org/appsec08_summit

TOP OF THE NEWS

According to an unnamed senior Bush administration official, US spy agencies will be required to gather intelligence on cyber threats to the country's computer networks. A January Presidential directive gave US intelligence agencies the authority to monitor federal network traffic to prevent intrusions and data theft. The new directive will allow gathered information to be shared with the private sector. The problem with such arrangements is that when information about attacks and intrusions is shared, it has the potential to disclose some avenues of infiltration and attack that US intelligence agencies use offensively. -http://www.washingtonpost.com/wp-dyn/content/article/2008/05/02/AR2008050201646_pf.html[Editor's Note (Skoudis): The story describes an interesting dilemma faced by many governments: revealing too much information about bad guy attack techniques with the goal of helping defend infrastructures may impact that governments' ability to use the same techniques for intelligence or military activities. There's a related aspect as well - -- by revealing too much information about sophisticated attacks, we could be inviting copy-cat attacks and spreading attack blueprints to a whole new group of bad guys. I'm not against this sharing of information to help defenders, but I do note that there is a difficult balance to achieve here. ]

Attackers sent realistic, but phony legal documents to executives at Citibank, eBay and America Online, among many others, fooling them into clicking on a link that installed keystroke logging software. The legal document appears to be a subpoena from the US Federal District Court in San Diego. The fake documents were effective both because of their use of legal language and because they included the exact names, phone numbers and companies of the target. -http://afp.google.com/article/ALeqM5icpWGNHQrwvd-ohpTweHi-pmr0IA********************** Sponsored Links: ******************************* 1) The Gartner IT Security Summit will help you break through conventional thinking and position yourself for the future of Information Security - technically, organizationally, politically, economically and globally. The Summit will provide insight and a vision of how things will evolve over the long term and provide road maps on how enterprises and solutions providers will get there. To learn more:http://www.gartnerinfo.com/tr/g/sec14_23

A former US military contractor employee has pleaded guilty to aggravated identity theft. Randall Craig worked at the Marine Corps Reserve Center in San Antonio, TX and was arrested after he sold a thumb drive containing the names and Social Security numbers (SSNs) of 17,000 military employees to an individual he believed to be a representative of a foreign government. The individual was, in fact, an undercover FBI agent. Craig also pleaded guilty to exceeding authorized access to a computer. The unauthorized access charge carries a maximum sentence of five years and a maximum fine of US $250,000. The identity theft charge carries a mandatory two-year sentence to be served consecutively with the other sentence and also carries a maximum fine of US $250,000. He is currently being held without bond. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9082158&intsrc=news_ts_head

Japanese City Employee Demoted for Surfing Porn at Work (May 2, 2008)

An unnamed city employee in Kinokawa, Japan has been demoted for logging hundreds of thousands of hits on pornographic web sites on his computer at work in just nine months. The situation came to light when the man's computer became infected with malware and officials looked at his browser history. While he has not been fired, his demotion comes with a pay cut of approximately 20,000 yen (US $190) a month. -http://news.bbc.co.uk/2/hi/asia-pacific/7379742.stm

POLICY & LEGISLATION

Virginia public schools will be teaching Internet safety education to students in grades K-12 to satisfy state Board of Education mandated Internet safety instruction. Ultimately, Internet safety and skills lessons will be integrated into the district's curriculum rather than being taught as a separate subject. -http://www.washingtonpost.com/wp-dyn/content/article/2008/05/02/AR2008050203831_pf.html[Editor's Note (Skoudis): This is good news. People need to understand the basics of securing their Internet activities, or else attacks will continue to escalate. This knowledge doesn't seem to be innate, unlike locking your front door in a bad neighborhood, so it must be taught. I applaud efforts like this. (Kreitner): I hope this instruction includes some content on personal responsibility and other cultural perspectives as well as safety. I think we adults greatly underestimate the cultural aspects of the Internet in terms of its influence on young people's thinking. For example, I am astounded at the potentially embarrassing information students put on My Space and Facebook apparently based on some extension of their assumption about anonymity on the Internet.

UCSF Delays Notifying Patients of Data Exposure (May 2, 2008)

The University of California San Francisco (UCSF) waited nearly six months to notify more than 6,000 patients that their personally identifiable information had been accessible on the Internet for more than three months. UCSF discovered the data security breach in early October 2007, but sent out notification letters in early April 2008. UCSF has been sharing patient information with Target America and paying that company US $12,000 a year to establish a list of potential donors from the patient list. Target America performs data mining on lists they are provided to determine who would be a good target for donation solicitations. Shortly after discovering the breach, UCSF terminated its relationship with Target America. As of January 2008, health care providers in California are required to inform patients if their information has been compromised. -http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/05/01/MNKE10DRGN.DTL&tsp=1

STATISTICS, STUDIES & SURVEYS

Purdue's CERIAS Program Rated the Top US Information Security Program (1 May 2008)

Purdue University's CERIAS (Center for Education and Research in Information Assurance and Technology) program has been rated the top university information security program in the US. Academic Analytics LLC, which bases its rankings of doctoral programs on the basis of scholarly output, found that the CERIAS faculty members had the highest productivity. CERIAS is different from many other information security programs in that it takes a multidisciplinary approach that involves not only computer science, but also psychology, law, political science, industrial technology, and other disciplines. -http://news.uns.purdue.edu/x/2008a/080502SpaffordRanking.html

A presentation by Feng Xue from Nevis Networks given at the latest Microsoft Bluehat Session demonstrated how hackers can circumvent anti-virus software installed on target machines. Microsoft's Bluehat sessions are invitation only events held every six months where computer security researchers interact with Microsoft's software developers to help identify weaknesses in Microsoft's products. Other highlights included a talk on design weaknesses in Windows, security issues with web browsers, and how scripts can monitor the online activity of a targeted user. -http://www.zdnetasia.com/news/security/0,39044215,62040947,00.htm

Hundreds of Laptops Missing at U.S. Dept of State. (May 2,2008)

An internal audit has discovered that hundreds of employee laptops are unaccounted for within the U.S. Department of State. Up to 400 of those laptops belong to the Department's Anti-Terrorism Assistance Program, which provides assistance to foreign police and security forces in the form of counterterrorism training and equipment. -http://www.cqpolitics.com/wmspage.cfm?docID=hsnews-000002716318&cpage=1

The information security world is taxing. We spend a lot of time fixing problems that often don't stay fixed. New vulnerabilities are discovered daily, and applying one update or patch sometimes exposes weaknesses elsewhere. We hope that our IPS and firewalls can cover while we try to keep up, but how do we really know that things are working the way they should be?

Some of the issues revolving around log management include privacy, storage requirements, and meeting regulatory or legislative requirements. Finally, integration of LM into an organization's overall security dashboard will be the focus of this presentation.

The SANS Internet Storm Center (ISC) uses advanced data correlation and visualization techniques to analyze data collected from thousands of sensors in over sixty countries. Experienced analysts constantly monitor the Storm Center data feeds searching for trends and anomalies in order to identify potential threats. When a threat is identified, the team immediately begins an intensive investigation to gauge the threat's severity and impact. This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Most security and IT professionals agree that the corporate network "perimeter" is no longer viable due to laptops, tunneling applications, VPNs and wireless, etc. But network security conventional wisdom is still very perimeter oriented. Why the inconsistency? Perhaps people really don't think the problem is that significant and the risk is not that high. Or maybe they do think it's a real problem, but hesitate to act because of cost, complexity, and risk to application availability. This webinar will review the key aspects of this inconsistency and offer solutions to better manage the "inside risk."

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/